Dell Admits Hackers May Have Stolen Customer Data

Cybersecurity
I report and analyse breaking cybersecurity and privacy stories

Dell confirms breach that may have been successful in stealing some limited customer data

ASSOCIATED PRESS

Dell EMC has sent password reset notifications to all Dell.com customers following "unauthorized activity on our network" that "attempted to extract Dell.com customer information, limited to names, email addresses and hashed passwords" according to an official statement. While claiming that there is "no conclusive evidence" that any of the information being targeted by the attacker was actually extracted, Dell does admit that it is possible some may have been successfully exfiltrated. Which suggests that, as of now, Dell doesn't have a complete handle on the events that took place on November 9th it would seem. Indeed, there appears to be some confusion in the statements made by Dell itself concerning the reach and impact of this breach.

That official statement claims that there is no indication that any credit card "or other sensitive customer information" was targeted, yet this is at odds with itself as both email and hashed passwords are pretty sensitive information if you ask me. Or if you ask Sumit Agarwal, co-founder & COO, at Shape Security for that matter. "In stressing that the information lost was limited to those name, email, and hashed password, and that those items are not sensitive, Dell seems to downplay the extent of the breach" Agarwal said in an email conversation which continued "in security circles, email and hashed passwords are also known as the keys to the kingdom in terms of giving criminals full access to other accounts belonging to a given user who may have re-used those credentials information elsewhere."

That Dell insists that hashing of customers passwords will limit any potential exposure, as well as the forced resetting of all passwords following the breach, that might not be enough. It all rather depends upon the sophistication of the password hashing techniques being employed by Dell which can only be speculated upon currently. Dell simply says that "a hashing algorithm that has been tested and validated by an expert third-party firm." Certainly similar breaches have historically suggested that threat actors with hashed passwords and email addresses are perfectly capable of discovering at least some usable passwords from this data. The risk is greatest for those who re-use their passwords across sites and services as Agarwal has already said. Unfortunately, of course, that is a very large proportion of the online public.

What else is known at this stage about the breach? Well, Dell says that the primary online services affected were Dell.com, Premier, Global Portal and support.dell.com (Esupport.) DellEMC.com and DellTechnologies.com customer account information was not targeted. There is also the small matter of the time taken to disclose the breach that Dell became aware of on November 9th, yet it took 19 days of investigation before customers were made aware of the potential information compromise by way of the password reset.

Sam Curry, chief security officer at Cybereason, says that "interestingly, Dell's statement makes it seem like the intrusion was only in the edge systems and not core Dell" adding "but only a handful of people are in the know on the inside at Dell." Which could mean that the threat actors, likely not nation state actors given the targeted data, wound up with a consolation prize in terms of the email and hashed passwords when credit card data proved out of reach. "Resetting passwords is always a good security measure, even if the hackers didn't walk away with anything significant" Curry says, concluding "this message also implies Dell is still working extremely hard to clean everything out..."